Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: CORS Middleware not setting all headers as per spec #3178

Closed
1 of 4 tasks
crisog opened this issue Mar 7, 2024 · 1 comment · Fixed by #3179
Closed
1 of 4 tasks

Bug: CORS Middleware not setting all headers as per spec #3178

crisog opened this issue Mar 7, 2024 · 1 comment · Fixed by #3179
Labels
Bug 🐛 This is something that is not working as expected

Comments

@crisog
Copy link
Contributor

crisog commented Mar 7, 2024
edited
Loading

Description

Right now, there's only a handful of headers that are only being set for the preflight request. They must be set for both the preflight and actual request.
https://fetch.spec.whatwg.org/#http-responses

Only Access-Control-Allow-Origin is being set here.

litestar/litestar/middleware/cors.py

Lines 61 to 73 in 1fb981d

async def wrapped_send(message: Message) -> None:
if message["type"] == "http.response.start":
message.setdefault("headers", [])
headers = MutableScopeHeaders.from_message(message=message)
headers.update(self.config.simple_headers)
if (self.config.is_allow_all_origins and has_cookie) or (
not self.config.is_allow_all_origins and self.config.is_origin_allowed(origin=origin)
):
headers["Access-Control-Allow-Origin"] = origin
headers["Vary"] = "Origin"
await send(message)

Only Access-Control-Allow-Credentials and Access-Control-Expose-Headers get set here, and this is what the above code uses to update headers

litestar/litestar/config/cors.py

Lines 123 to 136 in 1fb981d

def simple_headers(self) -> dict[str, str]:
"""Get cached simple headers.
Returns:
A dictionary of headers to set on the response object.
"""
simple_headers = {}
if self.is_allow_all_origins:
simple_headers["Access-Control-Allow-Origin"] = "*"
if self.allow_credentials:
simple_headers["Access-Control-Allow-Credentials"] = "true"
if self.expose_headers:
simple_headers["Access-Control-Expose-Headers"] = ", ".join(sorted(set(self.expose_headers)))
return simple_headers

This still doesn't account for:

  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers

which are only set on preflight, but should also be set to the actual request.

Litestar Version

2.2.1

Platform

  • Linux
  • Mac
  • Windows
  • Other (Please specify in the description above)

Note

While we are open for sponsoring on GitHub Sponsors and
OpenCollective, we also utilize Polar.sh to engage in pledge-based sponsorship.

Check out all issues funded or available for funding on our Polar.sh dashboard

  • If you would like to see an issue prioritized, make a pledge towards it!
  • We receive the pledge once the issue is completed & verified
  • This, along with engagement in the community, helps us know which features are a priority to our users.
Fund with Polar
@crisog crisog added the Bug 🐛 This is something that is not working as expected label Mar 7, 2024
@crisog crisog mentioned this issue Mar 7, 2024
Merged
@github-actions GitHub Actions
Copy link

A fix for this issue has been released in v2.7.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug 🐛 This is something that is not working as expected
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: missing cors headers in response crisog/litestar
1 participant
@crisog